How Twitter Accounts—Like the AP’s—Get Hacked

By Christopher Mims

April 23, 2013

The Twitter account belonging to the Associated Press was just hacked and used to tweet that there were explosions at the White House. Markets immediately reacted accordingly, with the Dow dropping 144 points before recovering in minutes, demonstrating the power that such hacks have.

While the people who run the AP’s social media accounts are surely reviewing their security procedures even now, it’s worth pointing out that defending against such attacks is relatively simple. Twitter’s official page on what to do when an account is compromised has a helpful section on the subject, which cites everything from computer viruses to handing out your Twitter credentials to malicious websites as sources of Twitter hacks.

But the truth is, across all password-protected sites on the web, the mostly likely way for an account to be compromised is simply bad password hygiene, aka password re-use. When hackers compromise a site with weak security, they get their hands on huge databases of password and email address pairs. Then, when they want to attack a site with good security, like Twitter, they simply try out passwords gained in the previous attack. It works because the passwords are often the same across sites—i.e., humans are lazy.